Weaknesses in the way the Tesla's high-end Model S electric sedan communicates with drivers could leave it open to hacks that allow a remote hacker to unlock its doors and continuously track its location, a security researcher said.

The most serious vulnerability stems from Tesla's minimum password requirement, which is just six characters with at least one number and one letter, according to a recently published evaluation from independent security researcher Nitesh Dhanjani. Combined with no clear account lockout policy limiting incorrect login attempts, the requirement makes passwords susceptible to brute-force attacks, which cycle through all possible combinations until the proper one is guessed. Armed with a valid password, an attacker could use an iOS app to check the car's location and charge status and unlock its doors. Update: On Tuesday, four days after the evaluation was published, Tesla changed the password requirements to 8 characters with at least one number and one letter. The manufacturer also added a lockout following five unsuccessful login attempts, after which users must reset the password.

Further Reading

The "Internet of things" may make life richer, but it can also allow new attacks.

Dhanjani has previously uncovered weaknesses in Internet-connected LED lights, networked baby monitors, and other "Internet-of-things" devices, and he pointed out that a large percentage of people use identical or very similar passwords for multiple services. That means that even if Tesla improves its password policy, Model S passwords could still be vulnerable if they're included in a hacked database retrieved from an unrelated website. Password reuse is by no means a threat that's unique to Model S owners, but given the ability of a single password to track and unlock cars, the threat could be particularly more severe.

Avoid third-party apps, for now

Model S passwords are also susceptible to theft or leakage through third-party apps such as Tesla for Glass for Google Glass and the upcoming Automate Your Tesla. Dhanjani said third-party apps work by reverse engineering a programming interface known as REST, which Tesla designed for its Tesla iOS app and has yet to advertise for outside use. REST doesn't use OAuth or similar means to allow apps to login without accessing passwords. By exposing driver credentials to unvetted third-party app developers, the interface increases the chances they could be leaked during hacks or even by rogue employees, Dhanjani warned.

"Tesla designed the API for their own iOS apps to function and they have not advertised it as a good way for third parties to avail the functionality," the researcher told Ars. "Unless Tesla announces a way for third parties to authorize access to car data (which they have not because the API has been reverse engineered), the Tesla owners are submitting their credentials to third parties who are unvetted and can abuse the credentials to check on the location of the cars and unlock them."

Tesla user credentials collected by a third-party app.

Nitesh Dhanjani

For the time being, Dhanjani advised Model S users to steer clear of third-party apps.

Dhanjani has identified at least one other potential weakness—a four-PIN adapter that connects laptop computers to a car's internal network. Although the data is encrypted using the OpenVPN cryptography library, outgoing connections can be configured to use pre-shared credentials. It's still not exactly clear what connected laptops can do and access once they're authenticated. Still, the connection could represent a potential privacy or security threat if the credentials were known by someone with physical access to the car.

Dhanjani said the point of his evaluation was to demonstrate that static passwords and other traditional methods for locking down computers and networks may not be sufficient for cars and other Internet-of-things devices where physical security is often involved. Ars forwarded Dhanjani's report to Tesla officials, but the company has yet to issue a statement in response.

"Tesla has demonstrated innovation leaps beyond other car manufacturers," he wrote. "It is hoped that this document will encourage owners to think deeply about doing their part as well as for Tesla to have an open dialogue with its owners on what they are doing to take security seriously."

Promoted Comments

If we're going to have vehicles with apps, in-dash displays, rear cameras, and more integrated technology in our vehicles, can the auto industry at least invest in better security? Or is that some kind of optional upgrade consumers need to pay for?

I mention this because it's probably still fresh in everyone's mind: Suddenly the prospect of checking that that legally-mandated rear view cam is a live shot becomes critical. Can you imagine if some malicious actor displayed a screen shot that tricked a driver into thinking/perceiving that everything was clear behind them when, in fact, it wasn't?

It goes without saying that there are plenty of *other* dangerous possibilities that also arise.

While I think Tesla and the model S is cool, I would buy one if I had the money. I don't see the need to integrate everything with the internet and let it have apps, a car does not need apps.

My wife recently purchased a Smart ED electric car for her business. One of the really nice features is that it has a web page associated with the car. With the web page you can view the charging state of the battery, you can turn on the heat or AC before you leave and while the car is still plugged in, etc. Although we don't use it where we are, it also has the ability to schedule charging times in case your electric company provides discounts late at night when electrical demand is less. So there's all sorts of useful features that you can get with an internet-enabled electric vehicle.

There are some useful features - venting on a hot day, using stored engine heat on a cold day to manage the temperature. There's also checking your charge level on an electric car, etc.

Lock has some use if you forgot to lock the car, but a simpler solution is to automatically lock the car after 5 minutes or the keys aren't in the proximity of the car and the interior motion sensors don't detect movement (i.e. a child in the car).

Unlock on a phone only has use if you lost your keys - but in that case, you're not going to be able to start the car anyway.

If you're going to use a third party app with your car, you're making a rather large gamble in the first place, but isn't it easier to... Y'know... Just use the remote that comes with the key?

That's not exactly fair, we use 3rd party programs on or to access all sorts of devices, and the trend is likely to increase. Chances are good you're using a 3rd party program to read this site. More attention needs to be paid to the security of the apps and the systems they run on and interface with.

First of all, Tesla should just use a browser, not a phone app. That at least means security in the phone side of the equation is covered. The fewer vectors, the better. This is to say, make the car yet another internet of things.

First of all, Tesla should just use a browser, not a phone app. That at least means security in the phone side of the equation is covered. The fewer vectors, the better. This is to say, make the car yet another internet of things.

If you're going to use a third party app with your car, you're making a rather large gamble in the first place, but isn't it easier to... Y'know... Just use the remote that comes with the key?

That's not exactly fair, we use 3rd party programs on or to access all sorts of devices, and the trend is likely to increase. Chances are good you're using a 3rd party program to read this site. More attention needs to be paid to the security of the apps and the systems they run on and interface with.

Not to mention those keys have vulnerabilities themselves.

Uh no, I am using a browser to read this site. Or are you insisting on playing a game of semantics?

If you're going to use a third party app with your car, you're making a rather large gamble in the first place, but isn't it easier to... Y'know... Just use the remote that comes with the key?

That's not exactly fair, we use 3rd party programs on or to access all sorts of devices, and the trend is likely to increase. Chances are good you're using a 3rd party program to read this site. More attention needs to be paid to the security of the apps and the systems they run on and interface with.

Not to mention those keys have vulnerabilities themselves.

Uh no, I am using a browser to read this site. Or are you insisting on playing a game of semantics?

And if that browser isn't the one native to your operating system, you're using 3rd party software on a machine that likely has sensitive/valuable information about you. I'm just calling a spade a spade.

First of all, Tesla should just use a browser, not a phone app. That at least means security in the phone side of the equation is covered. The fewer vectors, the better. This is to say, make the car yet another internet of things.

While the minimum length of the password is fairly short does Tesla do anything to limit the maximum? Can I choose a 32 character password that's alphanumeric and has symbols? Not that it cant be brute-forced but its much harder.

If you're going to use a third party app with your car, you're making a rather large gamble in the first place, but isn't it easier to... Y'know... Just use the remote that comes with the key?

That's not exactly fair, we use 3rd party programs on or to access all sorts of devices, and the trend is likely to increase. Chances are good you're using a 3rd party program to read this site. More attention needs to be paid to the security of the apps and the systems they run on and interface with.

Not to mention those keys have vulnerabilities themselves.

I think you might be misunderstanding what's going on here.

First of all, there is no "first party" app for looking at Arstechnica (unless I'm mistaken, haven't looked for an Ars Android app yet).

Second, the "third party" apps we're using to visit Arstechnica don't require admin privileges to the site's servers, and certainly do not allow us to do advanced monitoring on Ars' internal servers, or to unlock things on the server.

An app to access your Tesla more akin to an Android app to an Android phone. If you install the wrong app and totally click through the permissions screen without reading, your phone could essentially belong to the app developer. With personal information, passwords, and potentially scandalous photos and videos, this is bad. With your $60k-$70k electric sports car unlocking and giving anyone access, this is devastating.

First of all, Tesla should just use a browser, not a phone app. That at least means security in the phone side of the equation is covered. The fewer vectors, the better. This is to say, make the car yet another internet of things.

Mozilla Firefox?

Nope. Tesla is very sensitive to the word fire these days.

Not to mention the socio-political ramifications of using Firefox these days.

While I think Tesla and the model S is cool, I would buy one if I had the money. I don't see the need to integrate everything with the internet and let it have apps, a car does not need apps.

So say we all.

Anything connected to a network CAN be hacked from another host/user on that network. Connect it to the internet and well you got 7 billion potential hackers. All it takes is one, one time, and it's all over. It's just a matter of how much effort and knowhow it'd take.

If you're going to use a third party app with your car, you're making a rather large gamble in the first place, but isn't it easier to... Y'know... Just use the remote that comes with the key?

You don't even need to do that. You just approach the car with the remote in your pocket and the handle pops out and the car unlocks when you touch the handle. It goes a step further by automatically turning on the car when you buckle in - you don't even touch a button.

My car also doesn't require me to ever take the key out of my pocket (I do have an ignition switch to press). My car also has an app that also let's me lock and unlock the car - but if I use the app, I have to take a phone out of my pocket, open the app, wait for it to load and then do the same thing.

Some of these features seem like a solution looking for a problem, which in the process created another problem. The app unto itself is a fine idea and a lot better than ones from BMW etc., however it not need have an unlocking option. Maybe a locking option.

I get why they made the choice they did- long passwords are a pain to enter on a phone and locking someone out of the app could potentially mean locking someone out of the car. Seems like they should have looked at a different authentication method, though.

If you're going to use a third party app with your car, you're making a rather large gamble in the first place, but isn't it easier to... Y'know... Just use the remote that comes with the key?

That's not exactly fair, we use 3rd party programs on or to access all sorts of devices, and the trend is likely to increase. Chances are good you're using a 3rd party program to read this site. More attention needs to be paid to the security of the apps and the systems they run on and interface with.

Not to mention those keys have vulnerabilities themselves.

Uh no, I am using a browser to read this site. Or are you insisting on playing a game of semantics?

And if that browser isn't the one native to your operating system, you're using 3rd party software on a machine that likely has sensitive/valuable information about you. I'm just calling a spade a spade.

In my phone, I use the native browser.

If the browser isn't secure, the liability is not on Telsa, but on the phone manufacturer. Write your own apps, the liability is on you.

If we're going to have vehicles with apps, in-dash displays, rear cameras, and more integrated technology in our vehicles, can the auto industry at least invest in better security? Or is that some kind of optional upgrade consumers need to pay for?

I mention this because it's probably still fresh in everyone's mind: Suddenly the prospect of checking that that legally-mandated rear view cam is a live shot becomes critical. Can you imagine if some malicious actor displayed a screen shot that tricked a driver into thinking/perceiving that everything was clear behind them when, in fact, it wasn't?

It goes without saying that there are plenty of *other* dangerous possibilities that also arise.

If you're going to use a third party app with your car, you're making a rather large gamble in the first place, but isn't it easier to... Y'know... Just use the remote that comes with the key?

That's not exactly fair, we use 3rd party programs on or to access all sorts of devices, and the trend is likely to increase. Chances are good you're using a 3rd party program to read this site. More attention needs to be paid to the security of the apps and the systems they run on and interface with.

Not to mention those keys have vulnerabilities themselves.

I think you might be misunderstanding what's going on here.

First of all, there is no "first party" app for looking at Arstechnica (unless I'm mistaken, haven't looked for an Ars Android app yet).

Second, the "third party" apps we're using to visit Arstechnica don't require admin privileges to the site's servers, and certainly do not allow us to do advanced monitoring on Ars' internal servers, or to unlock things on the server.

An app to access your Tesla more akin to an Android app to an Android phone. If you install the wrong app and totally click through the permissions screen without reading, your phone could essentially belong to the app developer. With personal information, passwords, and potentially scandalous photos and videos, this is bad. With your $60k-$70k electric sports car unlocking and giving anyone access, this is devastating.

I understand all that, and you're right, it is devastating -- but it's an inherent risk of basically all software. So what Tesla needs, as the article pointed out, is a secure API that third parties can use (actually probably all applications to avoid MitM attacks), and their not having done so is the big mis-step here.

While I think Tesla and the model S is cool, I would buy one if I had the money. I don't see the need to integrate everything with the internet and let it have apps, a car does not need apps.

My wife recently purchased a Smart ED electric car for her business. One of the really nice features is that it has a web page associated with the car. With the web page you can view the charging state of the battery, you can turn on the heat or AC before you leave and while the car is still plugged in, etc. Although we don't use it where we are, it also has the ability to schedule charging times in case your electric company provides discounts late at night when electrical demand is less. So there's all sorts of useful features that you can get with an internet-enabled electric vehicle.

This just means the game of cat & mouse just began yet again. This time on a sports car, this will be patched and new exploits discovered then patched, cycle repeats and all that it should prove interesting.

There are some useful features - venting on a hot day, using stored engine heat on a cold day to manage the temperature. There's also checking your charge level on an electric car, etc.

Lock has some use if you forgot to lock the car, but a simpler solution is to automatically lock the car after 5 minutes or the keys aren't in the proximity of the car and the interior motion sensors don't detect movement (i.e. a child in the car).

Unlock on a phone only has use if you lost your keys - but in that case, you're not going to be able to start the car anyway.

While I think Tesla and the model S is cool, I would buy one if I had the money. I don't see the need to integrate everything with the internet and let it have apps, a car does not need apps.

My wife recently purchased a Smart ED electric car for her business. One of the really nice features is that it has a web page associated with the car. With the web page you can view the charging state of the battery, you can turn on the heat or AC before you leave and while the car is still plugged in, etc. Although we don't use it where we are, it also has the ability to schedule charging times in case your electric company provides discounts late at night when electrical demand is less. So there's all sorts of useful features that you can get with an internet-enabled electric vehicle.

Useful? Yes. Required? No. Prone to security holes and expensive repairs? Of course. It's just another thing that can go wrong.

One of the reasons I stay away from BMW is that so many of the core systems are controlled by computers, so much so that it basically forces you to go to the dealer for service. I want my cars to be as simple to maintain and repair as possible, so that I can do the work myself and save money.

imo, the app is very handy and i'm glad it's part of the model s system. more than once being able to unlock the car without the key has proven exceptionally useful; in addition to the other functions the tesla motors mobile app and at least one 3rd party app (visible tesla) provide. couple points:

a. yes, tm should (/have) implement OAuth or similar, and limit login attempts, especially if they move to making the API public -- which it is not currently, a big point. i have no doubt they will do both these things shortly.

b. the mobile app can do nothing substantial to the car while driving so the possibility of a moving disaster is not much of a factor in this issue.

c. remote access to the car can be readily disabled by either tesla motors or the owner via a software toggle, if illegal access is suspected this is a ready stop-gap until credentials are changed.

d. brute forcing the password and user id is unlikely in the extreme. if the user id is known, the password can be bruted to gain access, but this again... is pretty unlikely. and what would be the use? find the car, run up and unlock it while it's sitting on the street, turn on the fan?, steal an empty starbucks cup? you can't start the car with the API, you can't drive it away. and as soon as you open the car, other people will know and have a record of the phone or device used to access it.. all in all, it's a pretty boring 'joy ride'.

While I think Tesla and the model S is cool, I would buy one if I had the money. I don't see the need to integrate everything with the internet and let it have apps, a car does not need apps.

My wife recently purchased a Smart ED electric car for her business. One of the really nice features is that it has a web page associated with the car. With the web page you can view the charging state of the battery, you can turn on the heat or AC before you leave and while the car is still plugged in, etc. Although we don't use it where we are, it also has the ability to schedule charging times in case your electric company provides discounts late at night when electrical demand is less. So there's all sorts of useful features that you can get with an internet-enabled electric vehicle.

Sure, useful. Including a bad-actor cracking the control protocol, working their way into the net connected computer, making their way into the CAN bus and doing all sorts of nasty things.

If you're going to use a third party app with your car, you're making a rather large gamble in the first place, but isn't it easier to... Y'know... Just use the remote that comes with the key?

That's not exactly fair, we use 3rd party programs on or to access all sorts of devices, and the trend is likely to increase. Chances are good you're using a 3rd party program to read this site. More attention needs to be paid to the security of the apps and the systems they run on and interface with.

Not to mention those keys have vulnerabilities themselves.

One thing to note: If you're already using the third party application, they are unlikely to feel the need to change anything. Even if they transmitted the password corresponding to any username you submit to the API in plain text. The only reason they will change is to get more people to use the application. If enough people are already using it, they don't need to get more.

imo, the app is very handy and i'm glad it's part of the model s system. more than once being able to unlock the car without the key has proven exceptionally useful; in addition to the other functions the tesla motors mobile app and at least one 3rd party app (visible tesla) provide. couple points:

a. yes, tm should (/have) implement OAuth or similar, and limit login attempts, especially if they move to making the API public -- which it is not currently, a big point. i have no doubt they will do both these things shortly.

b. the mobile app can do nothing substantial to the car while driving so the possibility of a moving disaster is not much of a factor in this issue.

c. remote access to the car can be readily disabled by either tesla motors or the owner via a software toggle, if illegal access is suspected this is a ready stop-gap until credentials are changed.

d. brute forcing the password and user id is unlikely in the extreme. if the user id is known, the password can be bruted to gain access, but this again... is pretty unlikely. and what would be the use? find the car, run up and unlock it while it's sitting on the street, turn on the fan?, steal an empty starbucks cup? you can't start the car with the API, you can't drive it away. and as soon as you open the car, other people will know and have a record of the phone or device used to access it.. all in all, it's a pretty boring 'joy ride'.

Do you never leave anything in an unattended car move valuable than an empty coffee cup?

If so, why do you lock your car?

Anyway, some people do find themselves in situations where valuables are left in the car, and so the ability of someone to unlock the car might be an issue.

It's really disappointing honestly that Tesla went with "passwords" for authentication at all, given that it's premium hardware that they control top to bottom. If there was every a situation perfect for cryptographic keys or other auth schemes combined with a local PIN at most this would have been it.

While I think Tesla and the model S is cool, I would buy one if I had the money. I don't see the need to integrate everything with the internet and let it have apps, a car does not need apps.

My wife recently purchased a Smart ED electric car for her business. One of the really nice features is that it has a web page associated with the car. With the web page you can view the charging state of the battery, you can turn on the heat or AC before you leave and while the car is still plugged in, etc. Although we don't use it where we are, it also has the ability to schedule charging times in case your electric company provides discounts late at night when electrical demand is less. So there's all sorts of useful features that you can get with an internet-enabled electric vehicle.

Sure, useful. Including a bad-actor cracking the control protocol, working their way into the net connected computer, making their way into the CAN bus and doing all sorts of nasty things.

One assumes changing anything related to the CAN bus would mandate a physical connection. Or to use the buzz phrase, side channel.

If you watch drivers at charge stations, they spend a lit of time sitting in their car as it charges. I can easily see why you need an app to at least monitor this process, hopefully from inside your office rather than in the parking lot. Think of full your gas tank through a straw. That is what filling up an electric car is like.

Everyone is worried about thieves unlocking the doors to steal whatever is inside or get away with the car itself. I could see someone taking a different approach with this exploit: ie Locking the user out of their vehicle or disabling ignition/charging and ransoming it back to them. I don't know enough about the Tesla to know if it is possible; I'm assuming the Tesla still has a physical key to unlock doors or turn on the ignition so you might not be able to lock them out or disable the vehicle entirely but DDOSing the charging system or hijacking the user's Tesla accounts seems feasible.

Everyone is worried about thieves unlocking the doors to steal whatever is inside or get away with the car itself. I could see someone taking a different approach with this exploit: ie Locking the user out of their vehicle or disabling ignition/charging and ransoming it back to them. I don't know enough about the Tesla to know if it is possible; I'm assuming the Tesla still has a physical key to unlock doors or turn on the ignition so you might not be able to lock them out or disable the vehicle entirely but DDOSing the charging system or hijacking the user's Tesla accounts seems feasible.

The best you could do is know the owner's password and make continuous REST requests to determine the car state. If the state changes to unlock, lock it again. If the state changes to charging, stop charging, and so forth. There's a good amount of delay, so locking/unlocking would be frustrating but the person with the actual key would always be able to gain access if only because of the latency.

Charging, though... if you had the account password, you could certainly prevent charging as long as the car has a network connection. To combat that, you as the owner can get in and turn off Remote Access to the car, which would halt the attack. As a last resort, Tesla Ownership can verify your ownership of the vehicle, make setting changes to the car remotely, as well as reset your password.

Tesla also monitors your use of the REST protocol and will ban IPs if necessary. So if you'd have to limit your requests/commands to avoid hitting the limit that triggers a ban.

So there are things that can be done to annoy an owner, but I don't see any extortion methods that would be available to a hacker.

While I think Tesla and the model S is cool, I would buy one if I had the money. I don't see the need to integrate everything with the internet and let it have apps, a car does not need apps.

Normally I would agree. But if you own an electric car, and need to charge it frequently during the day, an app to remotely connect and see your charging status is almost a necessity. Now, granted the Tesla's range is big enough that this isn't a common occurrence (unlike, say, for a Leaf driver), but if I'm using a Supercharger, I'm going to go do other things, and will want to periodically check in to see if I can go back and unplug (and leave).

Other features, like the ability to remotely lock/unlock the car, open the windows, or turn on climate control are very useful and I use them enough to appreciate them. But I would be hard pressed to say they are NEEDED. Likewise for the ability to track the car's location in real time, although once you use it to, say, check if your valet parker is going for a joyride, or stalk your significant other when she's borrowing your car, it's frighteningly addictive.